I Quit Using pfsense

[coxhaus]

I have been using pfsense for couple of years on an old Xeon processor. I had to do some maintenance so I switched back to my old Cisco RV320 router. All my local routing is handled by my layer 3 switch so the router just moves packets thorough NAT. Not a big job for a router. When I switched back to my RV320 with the latest firmware the web pages popped faster than my pfsense router. It was easy to tell.

I switched back and forth when I decided to start using pfsense several years ago. Web pages back then were just as fast as my RV320 router. Something has changed. My configuration really has not changed but I have gone through several software updates on the pfsense side.

DSL's speedtest comes out about the same with maybe favoring pfsense for throughput.

I did have time server setup for all my network equipment which I will miss in pfsense.

This is just food for thought.

 

[Nullity]

It's a mostly useless post without details about why it happened...

Were you using Unbound? Recursive DNS lookups take a bit longer than using 3rd-party DNS servers.

 

[coxhaus]

I use Spectrum DNS in a forward fashion in both pfsense and the RV320. I like to lock my DNS to my ISP's DNS. I am not using unbound. In the old version maybe 2.2 or 2.3 pfsense , I don't remember, it was just as fast with web pages. My pfsense setup has stayed the same since the beginning. I did try turning off traffic shaping which made no difference as I don't max my connection out.

 

[System Error Message]

the cisco RV (Or any "VPN" routers) are a piece of junk. Did you check the CPU usage? Did this only happen after you updated pfsense?

 

[VisionxOrb]

Its funny you mention this, Ive been running pfsense for a long time and I to felt like the last few versions my internet felt slow eventhough my speed tests always look good. I recently just decided to jump to the 2.4-rc for kicks and internet feels more like it used to. not scientific I know.

my pfbox is a amd phenom 2 quadcore with 16gb ram. nics are some GB realteks

 

[coxhaus]

the cisco RV (Or any "VPN" routers) are a piece of junk. Did you check the CPU usage? Did this only happen after you updated pfsense?

The CPU usage on my pfsense rarely goes above 3% most of the time it is below 1%. My pfsense does not work hard as it does not run DHCP or anything other than NAT.
I don't know where pfsense slowed down with web pages as I have not compared it in a couple of years. There have been several software upgrades since I last compared it.

PS
My motherboard is a real Intel Xeon server motherboard with 2 built-in Intel NICs back when Intel built motherboards.

 

[Deepcuts]

I would blame unbound for pfsense sluggishness.

 

[coxhaus]

I would blame unbound for pfsense sluggishness.

Maybe so but I have not changed my DNS setup since the beginning.

I watch my DNS setting because about 10 years ago my home network was hacked and my DNS settings were changed to run through a China IP address. China had access to all my IP address destinations for a week or so plus they had the power to present false web pages to me. So now days I only allow my ISP's DNS. Back in the old days I did not block all DNS servers except my ISP's. The hackers substituted a different IP address for my DHCP server which started handing them out to all my workstations and devices. My network kept running using the China IP address. Now days my network stops because all DNS servers are invalid except for my ISP's DNS server.

 

[System Error Message]

Maybe so but I have not changed my DNS setup since the beginning.

I watch my DNS setting because about 10 years ago my home network was hacked and my DNS settings were changed to run through a China IP address. China had access to all my IP address destinations for a week or so plus they had the power to present false web pages to me. So now days I only allow my ISP's DNS. Back in the old days I did not block all DNS servers except my ISP's. The hackers substituted a different IP address for my DHCP server which started handing them out to all my workstations and devices. My network kept running using the China IP address. Now days my network stops because all DNS servers are invalid except for my ISP's DNS server.

you could always switch to my setup instead. Mikrotik for router, asus for AP and an x86 PC as a companion to it (ARM boards are fine too) running an IDS. Its the best combination and you will get instant browsing speeds without the horrible cisco RV hardware and reliability.

Mikrotik also has web and socks proxy allowing you to do a transparent proxy cache setup if you want and giving you the option to use ram as cache.

Not sure if pfsense supports it by try using dnscrypt, it can bypass your ISP's DNS hijacks and any sort of detection they use for it so you arent forced to use your ISP's DNS server.

 

[coxhaus]

I have no problems with the RV320 router. It is very fast in my network. And remember I don't use any features in my routers just NAT, no DHCP, no routing or anything else so this makes my routers run extra fast in my network. The only thing I miss is a time server which was in pfsense and not in the RV320 router.

The other thing I left out is I plan to add a routing protocol between my router and my layer 3 switch. This will allow my network to be more dynamic and easier to work on and change equipment out on. I think as long a my local pipe size is always larger than my internet speed the routing protocol will not slow down my internet access speed as I do not want to effect my internet speed.

I ran Untangle for years in the past which had some IDS in it. It was good but you pay the penalty with increase latency. Untangle was slower than both my Rv320 router and pfsense. I tried SNORT for a week on pfsense which I never really fine tuned but it slowed down pfsense so much I completely reinstalled pfsense from scratch and decided not to run any packages on pfsense.

My question to you and everybody is what happens to your network if someone hacks you DNS server IP? I want my network to refuse any DNS servers except my ISP's server. If they hack the ISP server then I figure we have much bigger problems than just my network. So my network stops resolving traffic if it is not my ISP DNS server's traffic. This is another reason I like my DHCP server not in my router connected to the internet to be hacked. I would rather my DHCP server be deeper in my network.

Remember any DNS server you use allows them to instantly hack your network using a false web page copied which you think you are on but contains invisible hacking code because the DNS resolves your internet web page to a different IP address. Be careful using any old DNS servers.

PS
When I was hacked back in the old days hardware was still primitive. I think my firewall was running on a slot Pentium 300 or 500 mhz. It was a while back.

 

[MichaelCG]

If your firewall/router is compromised, the least of your worries are where your DHCP server resides. They own the router...they own your traffic no matter what DNS server you are using.
- keep all devices patched/updated
- do not expose anything to the Internet that isn't absolutely required
- use strong and unique passwords on devices (don't use the same credentials on the FW that you do on other devices)

 

[System Error Message]

I have no problems with the RV320 router. It is very fast in my network. And remember I don't use any features in my routers just NAT, no DHCP, no routing or anything else so this makes my routers run extra fast in my network. The only thing I miss is a time server which was in pfsense and not in the RV320 router.

The other thing I left out is I plan to add a routing protocol between my router and my layer 3 switch. This will allow my network to be more dynamic and easier to work on and change equipment out on. I think as long a my local pipe size is always larger than my internet speed the routing protocol will not slow down my internet access speed as I do not want to effect my internet speed.

I ran Untangle for years in the past which had some IDS in it. It was good but you pay the penalty with increase latency. Untangle was slower than both my Rv320 router and pfsense. I tried SNORT for a week on pfsense which I never really fine tuned but it slowed down pfsense so much I completely reinstalled pfsense from scratch and decided not to run any packages on pfsense.

My question to you and everybody is what happens to your network if someone hacks you DNS server IP? I want my network to refuse any DNS servers except my ISP's server. If they hack the ISP server then I figure we have much bigger problems than just my network. So my network stops resolving traffic if it is not my ISP DNS server's traffic. This is another reason I like my DHCP server not in my router connected to the internet to be hacked. I would rather my DHCP server be deeper in my network.

Remember any DNS server you use allows them to instantly hack your network using a false web page copied which you think you are on but contains invisible hacking code because the DNS resolves your internet web page to a different IP address. Be careful using any old DNS servers.

PS
When I was hacked back in the old days hardware was still primitive. I think my firewall was running on a slot Pentium 300 or 500 mhz. It was a while back.

Not sure if you can do this with the cisco rv, but with configurable routers like mikrotik, i filter both input and output, so i only accept the input from my DNS server exactly (both IP and port), and accept output to my DNS server exactly (both IP and port) and drop the rest. So if the DNS server is changed then the DNS service will fail.

 

[coxhaus]

Yes the RV320 router can filter both IP and port on the WAN side. I have my RV320 router setup that way as explained above. I guess I should add you can filter the LAN side also but if it is stopped before it enters you network I don't see the need, just wastes extra processing power.

Yes I think it is a good thing to have DNS service fail if your DNS server changes. This is what I do as explained above. You do not want your network to keep running with a fake DNS server.

 

[coxhaus]

If your firewall/router is compromised, the least of your worries are where your DHCP server resides. They own the router...they own your traffic no matter what DNS server you are using.
- keep all devices patched/updated
- do not expose anything to the Internet that isn't absolutely required
- use strong and unique passwords on devices (don't use the same credentials on the FW that you do on other devices)

I like what you said and agree. I do use a really long password for my router which is only used on the router with special characters. Security updates are very important and should be applied at the earliest possible chance. I have never had anybody own my router yet, just hacked my DNS. I would think hacking DNS is much easier than owning the router. I still would rather have my network services dispersed across my network to keep the hackers guessing rather than all in one place.

 

[System Error Message]

Yes the RV320 router can filter both IP and port on the WAN side. I have my RV320 router setup that way as explained above. I guess I should add you can filter the LAN side also but if it is stopped before it enters you network I don't see the need, just wastes extra processing power.

Yes I think it is a good thing to have DNS service fail if your DNS server changes. This is what I do as explained above. You do not want your network to keep running with a fake DNS server.

Dont need to use that from LAN side, what you do from LAN is use DNS hijacking by redirecting DNS, NTP and DNScrypt traffic to the router (with DNScrypt router must support it though for this). This way regardless of user setting the router will be both the DNS and NTP server for your network clients. You can do this with a different server on your network but you must add esceptions for it (but on the router you can use the forward rules to filter the DNS to ensure the server only uses the servers you specify like with the rules for WAN to only allow specific DNS servers)

 

[MichaelCG]

If you want to be uber paranoid and try to secure everything possible....we are way outside of that in these forums using consumer gear. It never ends. The only way to really be secure is to unplug it, power it off, and put the computer in a vault somewhere. In the home environment there is only so much you can before it becomes a burden on either the admin (usually you) or your users (the spouse, kids, friends, family, etc).

#1 - Keep things patched and updated
#2 - Follow decent password habits (unique, not written down, decently complex, changed on a somewhat regular basis)(find a proper password manager and use it!!!)
#3 - Limit inbound to absolutely required...and properly secure any inbound (DMZ, Application Firewalls, etc)
#4 - Limit outbound connectivity as much as possible (don't piss off the Wife...quickest way to end up with the default ISP router again)

In my house, I don't follow #2 very well I must admit...and I am a security professional by trade...but I follow most of the others. Too many times in the past I have found myself not remember what password I used for this specific device which I only log into once a year. Applying #4 in a reasonable manner is the big challenge here. I do not use my ISP DNS Servers. I do run my own internal DNS server but this was more related to handling local DNS resolution than anything else.
- DNS queries are only openly allowed outbound from my DNS server
- IPv6 is disabled and blocked (double NAT so proper IPv6 isn't possible in my environment)
- My file server does not have direct Internet access available (must use proxy)
- I run a filtering Web Proxy that "most" of my clients utilize (at a minimum, it gives me more detailed logs of what a client has been doing vs just the IP the firewall logs give)

I used to restrict the outbound ports in general at the firewall and at the proxy....but that was an administrative nightmare and I kept pissing the wife off when she couldn't complete her course work for school since blackboard.com runs on oddball ports. I gave up on this practice in the 2007-2008 time frame since more and more of the web was no longer as heavily standardized on 80 and 443 as it had been in the past.

Also keep in mind...the more complicated you make it, the more difficult it is to recover from a hardware failure in a timely manner. In my younger years, I had nothing better to do than sit and tinker with computers and hardware all night long if I felt like it....I also didn't have a spouse who required Internet access. So if it took me 2-3 days to restore things to normal, no big deal. Fast forward 15 years, there is a spouse as well as I work from home...so if the Internet is down for more than an hour or two...it is for sure impacting things. It is one reason I have chosen to keep my ISP router in place. If my pfSense box were to fail, we can at least for the short-term jump over to that WiFi for a day until I can get a new PC to restore from backup.

 

[System Error Message]

If you want to be uber paranoid and try to secure everything possible....we are way outside of that in these forums using consumer gear. It never ends. The only way to really be secure is to unplug it, power it off, and put the computer in a vault somewhere. In the home environment there is only so much you can before it becomes a burden on either the admin (usually you) or your users (the spouse, kids, friends, family, etc).

#1 - Keep things patched and updated
#2 - Follow decent password habits (unique, not written down, decently complex, changed on a somewhat regular basis)(find a proper password manager and use it!!!)
#3 - Limit inbound to absolutely required...and properly secure any inbound (DMZ, Application Firewalls, etc)
#4 - Limit outbound connectivity as much as possible (don't piss off the Wife...quickest way to end up with the default ISP router again)

In my house, I don't follow #2 very well I must admit...and I am a security professional by trade...but I follow most of the others. Too many times in the past I have found myself not remember what password I used for this specific device which I only log into once a year. Applying #4 in a reasonable manner is the big challenge here. I do not use my ISP DNS Servers. I do run my own internal DNS server but this was more related to handling local DNS resolution than anything else.
- DNS queries are only openly allowed outbound from my DNS server
- IPv6 is disabled and blocked (double NAT so proper IPv6 isn't possible in my environment)
- My file server does not have direct Internet access available (must use proxy)
- I run a filtering Web Proxy that "most" of my clients utilize (at a minimum, it gives me more detailed logs of what a client has been doing vs just the IP the firewall logs give)

I used to restrict the outbound ports in general at the firewall and at the proxy....but that was an administrative nightmare and I kept pissing the wife off when she couldn't complete her course work for school since blackboard.com runs on oddball ports. I gave up on this practice in the 2007-2008 time frame since more and more of the web was no longer as heavily standardized on 80 and 443 as it had been in the past.

Also keep in mind...the more complicated you make it, the more difficult it is to recover from a hardware failure in a timely manner. In my younger years, I had nothing better to do than sit and tinker with computers and hardware all night long if I felt like it....I also didn't have a spouse who required Internet access. So if it took me 2-3 days to restore things to normal, no big deal. Fast forward 15 years, there is a spouse as well as I work from home...so if the Internet is down for more than an hour or two...it is for sure impacting things. It is one reason I have chosen to keep my ISP router in place. If my pfSense box were to fail, we can at least for the short-term jump over to that WiFi for a day until I can get a new PC to restore from backup.

There are 3 queues, inbound, outbound and forward. Inbound and outbound traffic are directed to the router itself while forward is what you want to filter. In a lot of cases both forward and inbound (input) are relevant.

 

[coxhaus]

There are 3 queues, inbound, outbound and forward. Inbound and outbound traffic are directed to the router itself while forward is what you want to filter. In a lot of cases both forward and inbound (input) are relevant.

Your Qs may work different with your router. I have inbound and outbound in the Cisco RV320 router.. There is always DMZ which I don't use now days. because it is too complicated for me to maintain and I can get along without it. I am a retired guy. I want easy. Not sure what your forward Q is.

It does not matter if you have a network client try to talk outbound to a DNS server because it will be a one sided conversation because you are blocking it on the inbound Q ( if you want to call it that) unless it matches your preferred DNS server which for me is my ISP's DNS server otherwise it is blocked. No reason to block on the outbound Q side. To me it is still wasted CPU cycles blocking both inbound and outbound for the same thing which results in slower internet performance from your router.

 

[System Error Message]

Your Qs may work different with your router. I have inbound and outbound in the Cisco RV320 router.. There is always DMZ which I don't use now days. because it is too complicated for me to maintain and I can get along without it. I am a retired guy. I want easy. Not sure what your forward Q is.

It does not matter if you have a network client try to talk outbound to a DNS server because it will be a one sided conversation because you are blocking it on the inbound Q ( if you want to call it that) unless it matches your preferred DNS server which for me is my ISP's DNS server otherwise it is blocked. No reason to block on the outbound Q side. To me it is still wasted CPU cycles blocking both inbound and outbound for the same thing which results in slower internet performance from your router.

but if you block without hijacking DNS queries from LAN, some devices like google chrome browser, androids, IOS devices and windows phones will fail to work since they all have hardcoded DNS servers set in them to their own provider (like google for google chrome).

 

[coxhaus]

It works for me. I have been doing this for over 10 years can't remember how long but since I was hacked. All network devices have always worked configured this way. I now mainly use Microsoft Edge. We have multiple iPhones, Apple TV, and Alexa Echo. They all work. I don't want to use a product with a special required DNS. The way I setup my router is a permit for my ISP's DNS and a deny for all other DNS servers on the WAN side for port 53 for both UDP and TCP.

I would say if they have hard coded DNS then it is not important enough for me to use. If it fails to work for advertisements then great.

PS
I would think most organizations would block all but their DNS server at their firewalls. So I don't know how stuff does not work. We did back when I was working. I know also in the old days when I needed to be up on networking I ran a Microsoft network in my house using Microsoft DNS. I blocked all DNS traffic except for my local DNS server. Now that I have thought about it to say a major software vender would write software with hard coded DNS seems like nonsense to me. So I do not believe it.